1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
|
.. This work is licensed under a Creative Commons Attribution 4.0 International License.
.. http://creativecommons.org/licenses/by/4.0
.. Copyright 2020 NOKIA
How to use functionality
========================
Basic information
-----------------
Certification Client needs the following configuration parameters to work properly:
1. Parameters for connection to certification service API and generate trustore and keystore
- REQUEST_URL *(default: https://aaf-cert-service:8443/v1/certificate/)*
- REQUEST_TIMEOUT *(default: 30000)*
- OUTPUT_PATH *(required)*
- CA_NAME *(required)*
2. Parameters for generate CSR file:
- COMMON_NAME *(required)*
- ORGANIZATION *(required)*
- ORGANIZATION_UNIT *(optional)*
- LOCATION *(optional)*
- STATE *(required)*
- COUNTRY *(required)*
- SANS *(optional)(SANS's should be separated by a colon)*
3. Parameters for secure connection:
- KEYSTORE_PATH *(required)*
- KEYSTORE_PASSWORD *(required)*
- TRUSTSTORE_PATH *(required)*
- TRUSTSTORE_PASSWORD *(required)*
Certification Service Client image can be find on Nexus repository :
.. code-block:: bash
nexus3.onap.org:10001/onap/org.onap.aaf.certservice.aaf-certservice-client:latest
As standalone docker container
------------------------------
You need certification files to connect to certification service API via https. Information how to generate truststore and keystore files you can find in project repository README `Gerrit GitWeb <https://gerrit.onap.org/r/gitweb?p=aaf%2Fcertservice.git;a=summary>`__
To run Certification Client as standalone docker container execute following steps:
1. Create file with environments as in example below:
.. code-block:: bash
#Client envs
REQUEST_URL=<url to certification service API>
REQUEST_TIMEOUT=10000
OUTPUT_PATH=/var/certs
CA_NAME=RA
#Csr config envs
COMMON_NAME=onap.org
ORGANIZATION=Linux-Foundation
ORGANIZATION_UNIT=ONAP
LOCATION=San-Francisco
STATE=California
COUNTRY=US
SANS=test.onap.org:onap.com
#Tls config envs
KEYSTORE_PATH=/etc/onap/aaf/certservice/certs/certServiceClient-keystore.jks
KEYSTORE_PASSWORD=<password to keystore.jks>
TRUSTSTORE_PATH=/etc/onap/aaf/certservice/certs/certServiceClient-truststore.jks
TRUSTSTORE_PASSWORD=<password to certServiceClient-truststore.jks>
2. Run docker container as in following example (API and client must be running in same network):
.. code-block:: bash
docker run \
--rm \
--name aafcert-client \
--env-file <path to environments file> \
--network <docker network of cert service> \
--mount type=bind,src=<path to local directory>,dst=<OUTPUT_PATH> \
--volume <local path to keystore.jks>:<KEYSTORE_PATH> \
--volume <local path to trustore.jks>:<TRUSTSTORE_PATH> \
nexus3.onap.org:10001/onap/org.onap.aaf.certservice.aaf-certservice-client:latest
After successful creation of certifications, container exits with exit code 0, expected logs looks like:
.. code-block:: bash
INFO 1 [ main] o.o.a.c.c.c.f.ClientConfigurationFactory : Successful validation of Client configuration. Configuration data: REQUEST_URL: https://aaf-cert-service:8443/v1/certificate/, REQUEST_TIMEOUT: 10000, OUTPUT_PATH: /var/certs, CA_NAME: RA
INFO 1 [ main] o.o.a.c.c.c.f.CsrConfigurationFactory : Successful validation of CSR configuration. Configuration data: COMMON_NAME: onap.org, COUNTRY: US, STATE: California, ORGANIZATION: Linux-Foundation, ORGANIZATION_UNIT: ONAP, LOCATION: San-Francisco, SANS: test.onap.org:onap.org
INFO 1 [ main] o.o.a.c.c.c.KeyPairFactory : KeyPair generation started with algorithm: RSA and key size: 2048
INFO 1 [ main] o.o.a.c.c.c.CsrFactory : Creation of CSR has been started with following parameters: COMMON_NAME: onap.org, COUNTRY: US, STATE: California, ORGANIZATION: Linux-Foundation, ORGANIZATION_UNIT: ONAP, LOCATION: San-Francisco, SANS: test.onap.org:onap.org
INFO 1 [ main] o.o.a.c.c.c.CsrFactory : Creation of CSR has been completed successfully
INFO 1 [ main] o.o.a.c.c.c.CsrFactory : Conversion of CSR to PEM has been started
INFO 1 [ main] o.o.a.c.c.c.PrivateKeyToPemEncoder : Attempt to encode private key to PEM
INFO 1 [ main] o.o.a.c.c.h.HttpClient : Attempt to send request to API, on url: https://aaf-cert-service:8443/v1/certificate/RA
INFO 1 [ main] o.o.a.c.c.h.HttpClient : Received response from API
INFO 1 [ main] o.o.a.c.c.c.c.PemToPKCS12Converter : Conversion of PEM certificates to PKCS12 keystore
DEBUG 1 [ main] o.o.a.c.c.c.c.PKCS12FilesCreator : Attempt to create PKCS12 keystore files and saving data. Keystore path: /var/certs/keystore.jks
INFO 1 [ main] o.o.a.c.c.c.c.PemToPKCS12Converter : Conversion of PEM certificates to PKCS12 truststore
DEBUG 1 [ main] o.o.a.c.c.c.c.PKCS12FilesCreator : Attempt to create PKCS12 truststore files and saving data. Truststore path: /var/certs/truststore.jks
INFO 1 [ main] o.o.a.c.c.AppExitHandler : Application exits with following exit code: 0 and message: Success
If container exits with non 0 exit code, you can find more information in logs, see :ref:`cert_logs` page.
As init container for Kubernetes
--------------------------------
To run Certification Client as init container for ONAP component, add following configuration to deploymnet:
.. code-block:: yaml
...
kind: Deployment
metadata:
...
spec:
...
template:
...
spec:
containers:
- image: sample.image
name: sample.name
...
volumeMounts:
- mountPath: /var/certs #CERTS CAN BE FOUND IN THIS DIRECTORY
name: certs
...
initContainers:
- name: cert-service-client
image: nexus3.onap.org:10001/onap/org.onap.aaf.certservice.aaf-certservice-client:latest
imagePullPolicy: Always
env:
- name: REQUEST_URL
value: http://aaf-cert-service:8080/v1/certificate/
- name: REQUEST_TIMEOUT
value: "1000"
- name: OUTPUT_PATH
value: /var/certs
- name: CA_NAME
value: RA
- name: COMMON_NAME
value: onap.org
- name: ORGANIZATION
value: Linux-Foundation
- name: ORGANIZATION_UNIT
value: ONAP
- name: LOCATION
value: San-Francisco
- name: STATE
value: California
- name: COUNTRY
value: US
- name: SANS
value: test.onap.org:onap.com
volumeMounts:
- mountPath: /var/certs
name: certs
...
volumes:
-emptyDir: {}
name: certs
...
|
